Networks of computers such as intranets, local and wide area networks, and the Internet exchange information in “packets.” A packet includes data such as files and programs and can also include a header that contains information that identifies the packet and indicates its origin and destination. The header can further include network protocol identifiers and the version number of the protocol that is to be used to route the information through the network. The header can also contain information identifying the port on the source computer from which the packet was sent and the port on the destination computer to which the packet is to be sent.
Computers connected to the Internet can be given either a static or dynamic Internet Protocol, or IP, address. Packets exchanged through the Internet accordingly often include an IP source address, an IP destination address, and an IP protocol identifier in addition to source and destination port information.
Computer networks, including the Internet, control the exchange of packets in order to prevent the unauthorized disclosure, modification, or execution of data and programs on a networked computer. In packet-switching networks, this is often accomplished through the use of an Access Control List, or ACL, that contains filter rules which indicate whether a packet should be accepted or dropped based on the identifiers included in the packet header.
ACLs are typically implemented, or enforced, by a network device known as firewall. Firewalls are often a combination of software and hardware that receives a packet and then compares the source, destination, protocol and/or other identifiers in the packet header to determine which filter rule “correspond,” or applies, to the packet. The firewall then applies the corresponding rules to the packet in the order they are set forth in a firewall rule table. A filter rule is applied by determining whether the identifiers set forth in the packet header match or fall within the range of values set forth in the filter rule for each identifier. If all of the packet header identifiers match the parameters set forth in a filter rule, an action, typically an ACCEPT/DROP action, is carried out on the packet. If the packet identifiers do not match the values specified in the corresponding filter rule, the next corresponding filter rule is applied to the packet, and the above-described process is repeated. If a packet header does not satisfy any of the corresponding rules, or if no rules are found to correspond to the packet header, a default action, usually a DROP action, is carried out on the packet. The default rule is often the last rule in the firewall rule table.
In recent years, security protocols such as Internet Security Protocol (IPsec) have been implemented. Some secure protocols encrypt both the packet and one or more fields in the packet header (such as the inner port, IP address and protocol information). The encryption of the packet header information complicates enforcement of filter rules because a standard ACL is able only to query and evaluate clear, or unencrypted, packet headers.
Further difficulties can be posed by the introduction of an open network (“ON”) architecture wherein the router includes a control element (CE) that creates and manages the filter rules and a separate forwarding element (FE) that forwards the packets toward to their destination. Such architectures are “open” in the sense that they can be component-based and the components interact according to open interface protocols. In certain ON systems an effective decryption technique must be implemented across a multiplicity of forwarding elements with a single control element.
Like reference symbols in the various drawings indicate like elements.